In this paper we develop methods for analyzing key management and authentication protocols using techniques developed for the solutions of equations in a term rewriting system. In particular, we describe a model of a class of protocols and possible attacks on those protocols as term rewriting systems, and we also describe a software tool based on a narrowing algorithm that can be used in the analysis of such protocols. We formally model a protocol and describe the results of using these techniques to analyze security properties. We show how a security flaw was found, and we also describe the verification of a corrected scheme using these techniques. 1 Introduction It is difficult to be certain whether or not a cryptographic protocol satisfies its requirements. In a number of cases subtle security flaws have been found in protocols some time after they were published. These flaws were independent of the strengths or weakness of the cryptographic algorithms used. Examples include the N...

ion variables which are variables coming from an abstraction, either during preprocessing or during the algorithm itself. 3. Introduced variables which are variables introduced by the unification algorithms for each theory. We make the very natural assumption that the unification algorithm for each theory may recognize initial, abstraction and introduced variables and never assigns an introduced variable to a non-introduced one or an abstraction variable to an initial one. With this assumption, our combination algorithm will always make an introduced variable appear in at most one \Gamma i . We may thus also suppose that the domain of each solution does not contain an introduced variable. This does not compromise the soundness of our algorithm. The combination algorithm is described by the two rules given in figure 2. In the rule UnifSolve i , ae SF is obtained by abstracting aliens in the range of ae by fresh variables. ae F i is the substitution such that xae = xae SF ae F i for al...

: Constraint programming is strongly based on the use of solvers which are able to check satisfiability of constraints. We show in this paper a rule-based algorithm for solving in a modular way the satisfiability problem w.r.t. a class of theories Th. The case where Th is the union of two disjoint theories Th 1 and Th 2 is known for a long time but we study here different cases where function symbols are shared by Th 1 and Th 2 . The chosen approach leads to a highly non-deterministic decomposition algorithm but drastically simplifies the understanding of the combination problem. The obtained decomposition algorithm is illustrated by the combination of non-disjoint equational theories. Key-words: constraint programming, decision procedure, satisfiability, combination problem (R'esum'e : tsvp) INRIA-Lorraine & CRIN, e-mail: Christophe.Ringeissen@loria.fr Unit de recherche INRIA Lorraine Technpole de Nancy-Brabois, Campus scientifique, 615 rue de Jardin Botanique, BP 101, 54600 VILLE...

. We extend the results on combination of disjoint equational theories to combination of equational theories where the only function symbols shared are constants. This is possible because there exist finitely many proper shared terms (the constants) which can be assumed irreducible in any equational proof of the combined theory. We establish a connection between the equational combination framework and a more algebraic one. A unification algorithm provides a symbolic constraint solver in the combination of algebraic structures whose finite domains of values are non disjoint and correspond to constants. Primal algebras are particular finite algebras of practical relevance for manipulating hardware descriptions. 1 Introduction The combination problem for unification can be stated as follows: given two unification algorithms in two (consistent) equational theories E 1 on T (F 1 ; X) and E 2 on T (F 2 ; X), how to design a unification algorithm for E 1 [ E 2 on T (F 1 [ F 2 ; X)? The ge...

In this paper we present a view of constraint programming based on the notion of rewriting controlled by strategies. We argue that this concept allows us to describe in a unified way the constraint solving mechanism as well as the meta-language needed to manipulate the constraints. This has the advantage to provide descriptions that are very close to the proof theoretical setting used now to describe constraint manipulations like unification or numerical constraint solving. We examplify the approach by presenting examples of constraint solvers descriptions and combinations written in the ELAN language. 1

. This paper addresses the problem of systematically building a matching algorithm for the union of two disjoint equational theories. The question is under which conditions matching algorithms in the single theories are sufficient to obtain a matching algorithm in the combination? In general, the blind use of combination techniques introduces unification. Two different restrictions are considered in order to reduce this unification to matching. First, we show that combining matching algorithms (with linear constant restriction) is always sufficient for solving a pure fragment of combined matching problems. Second, we present a combined matching algorithm which is complete for the largest class of theories where unification is not needed, including collapse-free regular theories and linear theories. 1 Introduction The process of matching is crucial in term rewriting, from automated deduction involving simplification rules to the implementation of operational semantics for programming l...

. We establish that there is no polynomial-time general combination algorithm for unification in finitary equational theories, unless the complexity class #P of counting problems is contained in the class FP of function problems solvable in polynomial-time. The prevalent view in complexity theory is that such a collapse is extremely unlikely for a number of reasons, including the fact that the containment of #P in FP implies that P = NP. Our main result is obtained by establishing the intractrability of the counting problem for general AG-unification, where AG is the equational theory of Abelian groups. Specifically, we show that computing the cardinality of a minimal complete set of unifiers for general AG-unification is a #P-hard problem. In contrast, AG-unification with constants is solvable in polynomial time. Since an algorithm for general AG-unification can be obtained as a combination of a polynomialtime algorithm for AG-unification with constants and a polynomial-time algorithm...

In a recent paper, Baader and Schulz presented a general method for the combination of constraint systems for purely positive constraints. But negation plays an important role in constraint solving. E.g., it is vital for constraint entailment. Therefore it is of interest to extend their results to the combination of constraint problems containing negative constraints. We show that the combined solution domain introduced by Baader and Schulz is a domain in which one can solve positive and negative "mixed" constraints by presenting an algorithm that reduces solvability of positive and negative "mixed" constraints to solvability of pure constraints in the components. The existential theory in the combined solution domain is decidable if solvability of literals with so-called linear constant restrictions is decidable in the components. We also give a criterion for ground solvability of mixed constraints in the combined solution domain. The handling of negative constraints can be signific...